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CROSS REFERENCE TO SESA5JED fcPPLICMBXOHS 

Shis application sosMffl subject matter related to co- 
pending C* S. latent Application Serial Ho, 556 ,358 , 

antitled s Eacryptioa System For Digital Cellular 

10 Co ssouci cations" ? to eo~pe;:;d;:. no ICS, Patent Application 

Serial '£to< ■ * entitled » Go^timsous Cipher 

Synchronisation for Cellular Communication System"; and to 

- s von Sena*, Mo % ,103 .. 

entitled * Res ynchrom. station of Encryption Systems Open 

IS Handof f * ; each of which wsrs filed on July 2D, |§§0 and 

assigned to the assignee of the present invention. Such 
applications and fch* disclosures therein are hereby 
incorporated by reference ItexMa* 

30 memmmts of trb tmmnm- 

The present invention relates to digital cellular 
e om * m i e and more particularly* to a netted 

and apparatus for enhancing the security of data 

25 communications within such a system 

lii^^i:^t^is™li^:c let 

Cellular radio sswai cat ions is, perhaps, the fastest 
growing field in the worl3~w.lde telecommunications industry, 
although cellular radio communication systema comprise paly 

30 a small fraction of the telecommunications systems presently 
in operation, it is widely believed that this fraction will 
steadily increase ana will represent a sudor portion of the 
entire telecommunications market in the not too distant 
future- This belief is grounded in the inherent limitations. 

35 Of, conventional telephone communications networks which rely 
primarily on wire technology to connect subscribers within 
the network, A standard household or office telephone,,, for 
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©sample, is co»»©©t*& feo a wall outlet, or phone i&cK » 
telephone coM of a certain «axtiaua length. Similarly, 
wirss connect the telephone outlet with a local witching 
office of the telephone company A telephone user's 
S movement is thus restricts not only by the length of the 
telephone cord, but also by the availability of aa operative 
telephone outlet, i. e- an outlet which hm teen connected 
«ith the local switching office. Indeed, the genesis of 
cellular radio systems sen be attributed, in large part, to 

10 the desire to overcome these restrictions and to- afford the 

telephone user the freedom to move about or to travel sway 
from his home or office without sacrificing his ability to 
communicate effectively with others, Xn a typical cellular 
radio system, the user, or the user' s vehicle, carries a 

IS relatively small, wireless device vhich communicates with a 
base station end connects the user to other mobile stations 
In the system and to leadline parties in the public switched 
telephone a a work CPSTS), 

A significant disadvantage of existing cellular radio 

20 communication systems Is the ease with which analog radio 

transmissions may be intercepted. in particular, some or 
all of the communications between the mobile station and the 
base station may be monitored, without authorisation, simply 
by tuning an appropriate electronic receiver to the 

2 5 frequency or frequencies of the communications , Hence, 

anyone wi fcfc access to such a receiver and an interest in 
eavesdropping can violate the privacy of the communications 
virtually at will and with total inpunity. While there have 
been efforts to make electronic eavesdropping illegal., the 

30 clandestine nature of such activities generally means that 

most, if not all, instances of eavesdropping will go 
undetected and, therefore, unpunished and undeterred. The 
possibility that a competitor or a toe may decide to "tune 
in" to one's seemingly private telephone conversations has 

35 heretofore hindered the proliferation of cellular radio 

communication systems sad, left unchecked, will continue to 



3 



threaten the viability of such systems for businesses and 
government applications. 

It has recently become cleat that the cellular radio 
telecommunications system of the future will be implemented 
5 using digital rather than analog technology. lbs switch to 
digital is dictated, primarily,, by considerations relating 
to system speed and capacity. A single analog, or voice, 
radio frequency (IF) channel can accommodate four {4} to si?s 
(6} digital, or dure, E.F chancels. Thus,, by digitising 
10 speech prior to transmission over the voice channel, the 
channel capacity and, consequently the overall system 
capacity, stay be inors&sed dramatically without increasing 
the bandwidth of the voice channel* ha a corollary,, the 
system is able to handle a substantially greater number of 
IS mobile stations at a significantly lower cost. 

Al though the switch fxm analog to digital cellular 
radio systems amelioratee somewhat the likelihood of 
breaches in the security of coanmal cations between the base 
station and the mobile station, the risk of electronic 
20 eavesdropping is far from eliminated. A digital receiver 
may be constructed which is capable of decoding the digital 
signals and generating the original speech. The hardware 
may be more complicate*! and the undertaking more expensive 
than in the case of analog transmission, but the possibility 
25 persists that highly personal or sensitive conversations in 
a digital cellular radio system may be monitored by a third 
party ana potentially used to the detriment of the system 
users. Moreover, the very possibility of third parties 
eavesdropping of a telephone conversation eliminates 
30 cellular tsiscommunicationa as a medium for certain 
government communications. Certain bitsioess users may be 
equally sensitive to even the possibility of a security 
breech. Thus, to render cellular systems as viable 
alternatives to the conventional viral ina networks, security 
of communications must he available on at least some 
circuits, 



various solutions have been proposed to alleviate the 
security conmrtm «age^roa by radio transmission of 
otmfitowUal data, A known solution, implemented by some 
existing complication sysrems,. ^ cryptoalgorithms to 
encrypt (scramble) digital data into an ucrntel) i gibie form 
prior" to transmission For example the article entitled 
CioaH and Date by Rick Graham ia IIS MagasiM iated c^una 
19 90 at pages 311-324, for a general, discussion of 
cryptographic system T most systems currently available, 
speech is digitised ana processed through an encryption 
device to produce a communications signal that appears to bo 
render or pseudo-random in nature until it is decrypted at 
an authorised reeeiwr. The particular algorithm used by 
the encryption device cay he a proprietary algorithm or an 
algorithm found in the public domain. Further background 
for such techniques may he found in the article entitled 
"The Mathematics of Public -Key Cryptography" by Martin E. 
Bellman la mM^MJ^m^M. dated August 1973 at 146-167, 

One technigue for the encryption of data relies on 
«time~o£~day« or ! *f«»e number* driven keystream generators 
to produce keystreams of p«u«do- randoa bit. which are 
combined with the data to fee encrypted. Such keystrea® 
generators may he synchronised to a tine of day counter, 
L a, hour, minute and second, or to a simple number counter 
©no the encryption and decryption devices nay he 
synchronised by transmitting the current count of the 
sranssd tter counter to the receiver in the event one fails 
out of synchronisation with another, 

To increase the security oi communications in systems 
utilising time -of -day or frame number driver keystream 
generators, the value of each Mf in the pseudo-random 
keystream is preferably made a function of the values of nil 
the key bits in an encryption key. la this manner, a person 
desiring to d-ssoranhle the encrypted signal must "crack" or 
-ibraak" all of the bits of the encryption key which may be 
in the order of fifty (SO) to one hundred {1.00} bits or 
store, A keys t ream of this type is generally produced by 



mathematically expanding the encry, .ion feey word in 
accordance with a **3;*et«d algorithm which incorporate the 
count of the time~or~day counter. However, if every bit of 
the encryption key is to influence every bit in the 
keystream and if the keystream is to fee added to the data 
stream bits on a one-to-one basis, the required number of 
key word expansion computations per second is enormous and 
can readily exceed the real time computational capability of 
the system. The eo~pending application entitled "Encryption 
System for Digital Cellular Commissi cutiwwr*, referred to 
above, achieves suck expansion of the keystream with 
conventional mi oroprocaesors and at conventional 
microprocessor speeds. 

The use of an encryption key to generate a pseudo- 
random keystream which is a complex function of all the key 
bite is a very useful tool for securing digital 
communications. Other tools «*y include arrangements for 
ensuring that the secret key assigned to each mobile station 
(the permanent key) is never directly used outside of the 
home network, 1. e. f the normal service and billing area of 
the mobile station Instead, the permanent key is used to 
generate other bits (the security key) which are used for 
enciphering a particular sail and which may be transmitted 
from the home network to a visited network, i.e., an area 
other than the normal billing area into which the mobile 
Such arrangements reduce the risk of 
disclosure of tfee permanent secret key to a 
third party which may use that key to defeat the encryption 
process. 

yet another tool for securing communications in a 
digital cellular system is the authentication of mobile 
stations at registration, call initiation or call reception, 
Authentication may fee simply viewed as the process of 
confirming the identity of the mobile station. Both 
authentication and encryption require communication between 
the visited network and the home network, where the mobile 
station has a permanent registration, in order to obtain 



WO 92/02087 




key used 
present invention the 
ana encryption ex* linked so 
transition, establishes both 
in derail hereafter, the present 
invention achieves such integration by generating, in the 
same transaction, not only a key -dependent response (RSSF) 
to a raasoK challenge (SA^D} f bat also the security key (S- 
K^y) used to encipher user iraific. 
10 m the At&ericsn Digital Cellular (ABC) system current 2 y 

under development, only the air Interface is directly 
specified, Mevertheless., the specification of desirable 
security functions within the ABC spttt, e.g., 
authentication and encryption, can indirectly determine the 
It network security architecture, with respect to 

authentication, the architecture options relate to whether 
the authentication algorithm should bs executed in the hoase 
network or, alternatively, in the visixed network. A choice 
between the two options is necessary for the deflation of a 
M suitable algorithm because the possible input parameters to 
the algorithm whi ch are available in the hoae network may 
not necessarily fee tha «««• as those -which are aval labia in 
the visited network. As explained hereafter, the present 
invention takes account of the significant security benefits 
25 which attach to the execution of the authentication 
algorithm in the home network, 

A serious problem in existing cellular systems may be 
referred to as the * false mobile station' 4 syndrome. 
Heretofore, it. has been possible to copy the entire memory 
30 contents of a mobile station and to use that information to 
manufacture clones which eaa demand and receive service from 
the network. One proposed solution is to provide each 
authorised mobile station with a specific authentication 
module, or smart card, which has write-only access for the 
35 permanent key. This solution, however, renders the mobile 

station more complex and more expensive. The present 
invention includes a * roiling key" which provides a acre 
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cost effective safeguard against the threat of false aoMIs 
stations. In addition, to mm* the threat of a "falsa base 
ttatioa" in the network., the present invention includes & 
.bilateral authentication procedure which nay be used when 
the roiling key U updated. This two-way authsnti cation 
procedure enhances security and permits bilateral 
authentication to be performed on the dedicated traffic 
channels of the system at any time during a oe.ll. Bacn 
authentication step may be performed at the optica of the 
network operator, but stust be performed at least once after 
the active presence of a sushi! e station is first detected 
within a network so as to generate an S»key for the first 
cell. 

h mobile station may occassional y rose into a small, 
isolated visited network which lacks the communications 
links with the hosts network needed to support authentication 
and encryption in accordance with the general system of the 
present invention, Such a visited network asay choose to 
accept a call, or registration frost the mobile station 
without performing authentication and to indicate by means 
of a bit ia the traffic channel deUnition that the mobile 
identification number mm cf the .mobile station may be 
usee! as a default S>-ksy. 

me system of the present invention will be set forth 
below in connection with an overall digital cellular system 
and a sys ten for generating a pseudo-random keystresm for 
use in enciphering traffic data in the cellular system, 
Roer* appropriate or useful for purposes of background 
end /or comparison., reference will be made to the SXMILn 
lz&Si^JlL^i&$ > za, * Cellular System Dual -Mode Mobile Station- 
Base Station Compatibility Standard 8 , IS- 54., May J99Q, 
published fey the Electronic Industries Association,, 2001 
Pennsylvania Ave, , P, sr. Washington,. .0, €< 20006 (hereinafter 
referred to as IS -54* and hereby incorporated b$ reference 
herein), 
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i 41 OF THE I 8V I Ti 

in one aspect the system of the invention imlu&m fch* 
generation of a plurality of parameters for use in enhancing 
the security of command cation is a digital cellular 
S eommani nations syatsn in which each mobile station is 
assigned a unique multi- digit secret permanent key and in 
vinch a pari odi call y changed aniti -digit roiling key is 
employes for increased security. Both the permanent key and 
the roiling key are stored in each mobile station and the 
10 host® network of tie mobile, h plurality of ««lti -digit 
input signals axe used which include a signal representative 
of a rsndoa auth.enti cation inquiry fro® a visited network 
and a signal representative of a particular mobile station 
along with the multi -digit permanent key of the particular 
15 mobile station and the multi -digit rolling key associated 
with the particular mobile at that particular time. 
Tbe digits of the input signals ere arranged in a first 
grouping and fro* t;hat grouping of input signals and the 
permanent and rolling key digits a first output value is 
20 calculated in accordance with a first algorithm. 

Sequentially arranged blocks of digits comprising said first 
output value are assigned to selected parameters tor use 
withia the system, including, an authentication response to 
be used by the mobile station to reply to the authentication 
25 nqn by the *u sated network sua an authentication signal 

to be used by the visited network to authenticate it to the 
mobile station. The digits of the input signals are then 
arranged in a second grouping and fro® that grouping of 
input signals and the permanent end rolling key digits a 
30 second output value is calculated in accordance with a 
second algorithm. Sequentially arranged blocks of digits 
comprising sain second output value are assigned to selected 
parameters for use within said system, including., a security 
key to fee used to calculating a keys tree® of pseuao-raodo® 
35 bits for enciphering communications data within the suets® 
and a new rolling key to be associated with the particular 
mobile at a next particular time, 
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In another aspect of the invention, certain random 
misusers tis®<2 in the first «s*d second algorithms srs obtained 
from s look-up table which is also t« obtain random 

numbers used in an algorithm for calculating a pseudorandom 
5 bit stream for encipher! og communications data within the 

a ye tern, 

In still another aspect of tha ineertion.. there is 
included a system for implementing a digital cellular 
communications system which includes communications traffic 
10 encryption along with bilateral authentication and, 
encryption key generation. 

BRIEF DESCRIPTION OF THE 

Tha present invention will he better understood and its 
1.5 numerous objects anS advantages will become apparent to 
those skilled in the art .by mtemm® to the following 
drawings in which: 

P'S. 1 is a pictorial representation of a cellular 
Kadi© oownioations system tmlu&iag a mobile switching 
30 center, & plurality of Mae stations end a plurality of 
mobile stations; 

FIG, 2 is a schematic block diagram of mobile station 
equipment used in accordance with one embodiment of the 
system of the present indention; 
2S FIG. 3 is a schematic Mock diagram of base station 

equipment used in accordance with one embodiment of the 
ays tern of the present invention; 

FIG, 4 is a schematic Mock diagram of a prior art 
keys t ream generator; 
9$ FXG. §• is e schematic block diagram of a kaystrsam 

generator circuit of an encryption system constructed in 
accordance with tha present invention; 

FIO> 6 is a partial schematic block diagram of a second 
expansion stage of the keyatrsam generator shown in FXG> 5,| 
FIO. ? is a pictorial representation, of an 
authentication algorithm according to a known standard; 
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b a pictorial rspres entation of an 
algorithm accosting to the preset invention; 
S. 9 is a pictorai represented on of a mobile 
cellular system which cses shs authentication algorithm and 
anoryption technique of the present inwtionj 

FIG, 10 is a schematic block diagram of the raring 
process use* in the authentication algorithm of the pre. at 
invent! o-n; and 

FIG. 13 is a schematic block diagram of a building 
block or mixing cell of the miring process shown is* FXG. 10. 

DBmiiaO DSSCB! F'l'XOH OF ¥H£ PHEF BREED BMBODIHEHT 

Eef erring first to FIG, i, there is illustrated therein 
a conventional cellular radio calmer cations system of a 
type to which th* preemit invention gsa«.»llv pertains. in 
FXG> 1, an arbitrary geographic area may be seen divided 
into a plurality of contiguous radio coverage areas, or 
cells, C1-C10. WMXe the system of FIG. 1 is shown to 
include only 10 mil** it should ha clearly understood that, 
in practice, the mmber of cells may be n»uch larger. 

ascociatca with and located within each of the cells 
CI -CIO is a base station designated as a corresponding cue 
ci a ^u-aliiy or case stations Bi~BKt lack of the base 
stations Bl-BIG includes a transmitter, a receiver and 
controller as ie well known in the art, la FIG. i, the haee 
stations Bi-BlO are located at the center or the ceUs Ci 
CIO, respectively, and ars quipped with omni -directional 
antennae. However, in other configurations of the cellular 
radio system the base stations Si BiO may be located near 
ths periphery, or otherwise away from the centers of the 
ceils Cl-CIG sand may illuminate the ceils CI-C10 with radio 
signals either oeni »di recti onaliy or di reotionally . 
rharefora, the raj s - s ation of the selinlar cat system 
of FIG. 1 is for purposes of illustration only and is not 
,r..>;e. as a j.« rrtirr av the cosscble rrpaen- lat ens of 
the oel - astern. 
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With continuing reference to FX G. i, a plurality of 
mobile stains MI-MIO may fee found vdtMa the ceils CIH3I0. 
again, only ten mobile stations ar® shown in Fid. 1 but it 
should be understood that the actual number of »oMk 
5 stations m$ h% much larger in practice and will invariably 
exceed the sasMf of base atari one, Moreover, while none of 
the mobile stations Mi-Mid may be found in some of the nolle 
C1-C10, the presence or absence of the mobile stations m - 
M1Q in any particular one of the ceils Ct-Cio should be 
10 understooa to depend, in practice,, on the individual desires 
of each of the mobile stations m-MiO who may roan from one 
location in a cell to another or from one cell to an 
adjacent or neighboring call* 

Each of the mobile stations Mi~M10 is capable of 
IS initiating or receiving a telephone call through one or more 
of the base stations Si-MO and a ssobiia switching center 
MSC, mobile switching center MBC is connected by 

communications links, e. op cables, to each of the 
illustrative base stations Bl-BlO and to the fix ©a public: 
■M switching telephone network (PSTN), not shown, or a similar 
fixed network which may inoiode an integrated eye tee digital 
network CI SDK) facility, the relevant connections between 
the mobile switching center n$C and the fence stations M~ 
BIO, or between the mobile switching center MSC and the mm 
25 or I SON, are not completely shown in FIG, 1 but are well 
known to those of ordinary skill in the art. Similarly, it 
is also known to include ssore than one mobile switching 
center in a cellular radio system and to connect each 
additional mobile switching canter to a different group of 
SO base stations and to other nofeile switching centers via 
cable or radio links. 

Each of the ceils Cl-Clo is allocated a plurality of 
voice or speech channels and at least one access or control 
channel. The control channel is need to control or 
.IS supervise the operation of mobile stations fey means of 

information transmitted to and received from those units.. 
Such information may include 'incoming call signals, outgoing 
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call signals, page signals, page respond sisals, location 
registration signals, voice channel assignments, .maintenance 
instructions and "handoiF instruction?; as a uobile station 
travels out of the radio coverage of ana cell end into she 
radio coverage of another call- Th® control or voice 
channels m&f operate either in an analog or a digital mode 
or a combination thereof In the digital mode, analog 
messages, such as voice or control signals, arc converted to 
digital signal representations prior to transmission over 
the Ef channel. Purely data messages, suet as those 
generated toy computers or by digitised voice devises, may be 
formatted ant transmitted directly over a digital channel. 

|s a cellular radio system using time division 
smltiplering (TDM) , a plurality of digital channels nay 
share a comnon RF channel. The HF channel is dim ded into a 
caries of "time slots*, each containing a burst of 
information from a different data source and seas rated by 
guard time from one another, and the ti»* slots are grouped 
into "frames" as is **XI known in the art, The number of 
time slots per frame varies depending on th* caoduuduh o£ 
the digital channels sought to be accommodated by the W 
channel. The frame may, for example, consist of three |3) 
time slots, each of which is allocated to a digital channel. 
Thus, the RF channel will accommodate three digital 
channels. in one embodiment of the present invention 
discussed herein, a frame is designated to comprise three 
time slots. However, the teachings of the present invention 
should be clearly understood to be equally applicable to a 
cellular radio system utilising any naaOasr of time slots per 
frame. 



Referring next to FIG- 2, there is shown therein a 
schematic block diagram of the mobile station equipment 
which are used in accordance with one embodiment of the 
present invention. The eguipmeat illustrated in Ffg> 2 may 
bs used for communication over digital channels, & voice 
aigual detested by a microphone 100 and destined for 
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transmission -by the mobile station is provided as input to a 
speech coder 101 which converts the analog voice signal into 
a digital data hit stream, Th* data hit stream is then 
divided into data packets or massages in accordance with the 
tine division multiple access (WA) technique of digital 
eommnni nations. A fast associated control channel { FhCCH 5 
generator 102 exchangee control or supervisory messages with 
a base station in the cellular radio system. -The 
conventional F&CCK generator operates in o * blank ana burst" 
fashion thereby a user frame of data is muted and the 
control message generated by the f&cch generator 102 is 
transmitted instead at a fast rate. 

In contrast to the biank and burst operation of the 
FACCH generator 102, a siow associated control channel 
(S&acm generator 1 03 continuously exchanges control 
messages with the base station. output of the 

generator is assigned a tlmd length byte, e.g. 13 bits, and 
included as a part of each time slot in the message train 
C frames). Channel coders .104, 105, 10S are connected to the 
speech coder 101, FMJCH generator 102 and SACCR generator 
103, respectively. Each of the channel coders 104, 10S, 100 
performs error detection and recovery by smnipalating 
incoming data using the techniques o convolutions! 
encoding, which protects important data bits in the speech 
node, and cyclic redundancy check (C&c), wherein the most 
significant bits in the speech coder frame, a, g> , 12 bit*, 
are used for computing a 1 hit error check 

deferring again to PIS. 2, the channel coders 104, SOS 
era connected to a multiplexer 10? which is used for time 
division multiplexing of the digitised voice messages with 
the F&CCH supervisory messages. ^he output of the 
multiplexor to? is oonplad to a 2-hurst interleavsr 108 
which divides each data message to be transmitted by the 
mobile station (for example, a message containing 260 hits) 
into two equal but separate parts (each part containing 130 
bits> arranged in two consecutive time slots. In this 
manner, the deteriorative effects of Rsyleigh fading may he 
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significantly reduced, *Sb® output of thm 2 -burst 
.ncerieaver 108 is provide 1 as input to a modulo-r adder 109 
where the- data to be trans ad t ted is ciphered on a bit~by»Mt 
basis by logical modulo- 2 addition with a psendo-randoas 
S keysrresm which is generated in accordance with the system 
of the present invention described below, 

the output of the channel cosier 106 is provided as 
input to a 22 -burst x atari caver Tha 2 a -bate t 

iuterieaver 110 divides the SACCH data into 22 consecutive 

10 time slots, each occxipied by a byte consisting of 12 bits of 
control information. The i uteri saved ShCCH data forms one 
of the inputs to a burst generator ill. Another input to 
the burst generator ill is provided by the output o£ the 
modulo-' 2 adder 103, The burst gereracor 111 produces 

IS "message bursts" of data..,, each consisting of & time slot 
identifier ( TI } .. a digital voice color code (DVCC), control 
or supervisory information and the data to be transmitted, 
as further explained below. 

Transmitted in each of the time slots in a frame is a 

20 Uaua slot identifier (TI), which is used for time slot 
iderutifi cation and receiver synchrony .-ar.i on, „nn a ui-ta: 
voice color code (DVCC), vfeich ensures that the proper HP 
channel is being decoded, in the exemplary frame of the 
present invention, a set of three different s§-bit tt.s is 

25 defined, one fox each tlftft slot while an identical 8 -bit 
Dv'CC is transmitted in each of the three time slots. The TI 
and BTO are provided in the mobile station by a sync 
word/D^CC generator 113 connected to the buret generator 111 
as shown in FIG, 2, The burst generator 111 combines the 

30 outputs of the oodrIo-2 adder 109, the 2 2 ••durst interlsavsr 
110 and the syns uord/hVCC generator 113 to produce a series 
of massage bursts, each comprised of data (260 bins}, ShCCH 
information {12 bits), Ti (26 bite), ceded DVCC C12 bits] 
and 12 delimiter bits for a total of 324 bite which are 

35 integrated according to the time slot format specified by 
the SIA/TIh XS-54 standard. 
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Each of the irsts is trans salt tea in one of tfe« 

three time slots included in a frame as discussed 
hereinabove. Toe burst generator Ul is eonrectsa to an 
egualiser 113 which provides the timing needed to 
synchronise the transmission of one time slot with the 
tr«ns«s.issior of ;hs sther two time slots- She equaliser 11.3 
detects timing signals sent from the on so station {master) 
to the mobile station {slave) and synchronises toe burst 
generator it! accordingly. Thm equaliser 113 may also te 
used for cheeking the values of the Tl and the DVCC, The 
burst generator ill is also connected to a 20ms frame 
counter 114 which is U8«&. t© update a ciphering code that is 
applied by the mobile station every 20ms, i, «. , once for 
e.very transmitted tx&m. The ciphering coda is generated by 
a ciphering unit 115 with the use of. a mathematical 
algorithm and under the control of a key lis which is unique 
to eacb mobile station* The algorithm may be used to 
§«nerat« a pseudo-random &«ystream in aeeor&anee with the 
present invention asl. as discussed further below, 

The message bursts produced by the burst generator 1 10 
are provided as input to an Ef modulator ill. The IF 
modulator 117 is used for modulating a carrier frequency 
according to the /4-DQPSX teebnigne ( /4 shifted, 
differentially encoded quadrature phase shift key). The use 
of this technique implies that the information to be 
transmitted by the mobile station is differentially encoded, 
two bit symbols are transmitted as 4 possible changes 
in phase; + or ~- /4 and * or - 3 /3, The carrier 
frequency for the selected transmitting channel is supplied 
to the RF modulator II? by a transmitting f requeue v 
synthesiser 111, The hurst modulated carrier signal output 
of the RF modulator 117 is amplifies by a power amplifier 
IIS end then transmitted to the base station through an 
antenna 120, 

The mobile station receives burst modulated signals 
from the base station through an antenna 121 connected to a 
receiver 112, .1 receiver carrier frequency for the selected 
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receiving channel is generate h$ & receiving frequency 
synthesiser 123 and supplied to a an *F a«ao«ttXator 124. 
The RF demodulator 124 1b used to demodulate the received 
carrier signal into an intermediate frequency signal, 'The 
S intermediate frequency signal is then detso&ulated farther by 
an IF demodulator 125 which recovers the original digital 
information as it existed prior to /4-UQPBK modulation. 
The digit* in or on is t or passed through t&« equaliser 

113 to a symbol detector 126 which converts the two-bit 
10 symbol format of the digital data provided by the equalizer 

114 to a single hit data stream. 

She symbol detector OS produces two distinct outputs.: 
a first wrtyat, comprised of digitized speech data and. FASCH 
data, and a second output, comprised of SACC8 data. The 

IS first output is supplied to a modulo-2 adder 127 which is 
nonnested to a 2-burst dainterleavar IM. The oodnlo-2 
adder 127 is connected to the ciphering unit 115 and is used 
to decipher the4 encrypted transmitted data by subtracting 
on a bit -toy-bit feasis the sasie pseti&o-random keys f ream used 

20 by the transmitter in the fea«» station encrypt the data and 
which is generated in accordance with the teachings of the- 
present invention set forth below. The modulo- 2 adder 127 
and the 2 -hurst delnterieaver 128 reconstruct: the 
spoech/FACCH data by assembling and rearranging information 

25 derived from two consecutive -frames of the digital data. 

The 2 -hurst deinterleavar 12S is coupled to two channel 
decoders 129, 130 which decode the convolution! ly encoded 
speeoh/FACCH data using the reverse process of coding and 
check the cyclic redundancy Chech (CSC) bite to determine if 

30 any error has occurred. The channel decoders 129., ISO 
detect distinctions between the speech data on the one hand, 
and any F&CCH data on the other, and route the speech data 
and the FACCH data to a speech decoder 131 and an WkQQU 
detector 132, respectively. The speech decoder 131 

35 processes the speech data supplied toy the channel decoder 
129 in accordance with a speech coder algorithm, s» g, WBLP, 
and generates an analog signal representative of the speech 
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signal transmitted toy th® hm® station and reo^iwd by the 
mobile station. A filtering technique may then be used to 
enhance the Quality of the analog signs! prior to broadcast 
by a speaker 133,. Any mCGU amass ages detected" by the FACCM 
§ detector 133 are forwarded to a microprocessor 134, 

she d r 126 S S&CCH 

data} x& supplied to a . un is a >: leave.; 13$. The 22- 
buret later! saver 135 re&sssnbies art rearranges the SnCCH 
data which is spread 22 consecutive frames. >Fhe output 

JO of the 22 -burst dsinterleaver 133 is provided as input to a 

channel decoder 136. F&CCH messages are detected by an 
SACCH detector 13? and the control information is 
transferred to the mi coprocessor 3 34. 

The ric coprocessor 134 controls the activities of the 

15 ioMIs station and eommnMostions ktw«a t&s moMl® station 
and the base station. Decisions are made by the 
microprocessor 134 In accordance with messages received iron 
the has© station and swasureoents performed by the mobiia 
station. «h* microprocessor 134 is also provided with a 

20 terminal keyboard input and display output unit 13t> She 
keyboard and display Mt 138 allows the mobile station user 
to exchange information with the base station, 

Referring next to PIS, 3,, there is shown a ssh0:S»Stio 
25 block diagram of the base station equipment which are used 
in accordance with the present invention. h comparison of 
the mobile station equipment shown in FIG. 2 with the bass 
station equipment shown in FI<§. 3 demonstrates that much of 
the equipment used by tfe« isobils station and the base 
3b station are substantially identical in construction and 
function. Such identical equipment are, for the sake of 
convenience and consistency, designated with the same 
reference numerals in FIG, 3 as those used in connection 
with FIG. 2, but are differentiated by the addition of a 
33 prime f ' } in rig. 3. 

There are, however, some minor differences between the 
mobile station and the base station equipment. for 
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instance, the. base station has, not just on® out, tm 
receiving aateahas 121'- associated with «ach of the 
receiving antennas 12 V are a receiver 122% as RF 
demodulator 124% m3 as IF demodulator 125', Furthermore,, 
S th& ease station includes a programmable frequency combiner 
USA' which is competes, to a. trans si thing frequency 
synthesiser US' > 2?he frequency combiner USA' and the 
transmitting frequency synthesiser US' carry out the 
selection of the EF channels to be used by the base station 
... 10 according to the applicable cellular frequency reuse plat. 

The base station, however, does not include a user keyboard 
end display unit similar to the user keyboard and display 
unit 13S present in the mobile station. It does however 
include a signal level eater 100 f connected to measure the 

if signal received from each of the two receivers 122' and to 

provide an output to the microprocessor 134* > Other 
differences in equipment between the mobile station the base 
station may exist which a** well know in the art, 

The discussion thus far .has focused on the operational 

20 environment, of the system of she present invention. h 

specific description of particular • embodiments of the 
present invent! oa are set forth below, As disclosed above 
and used hereinafter, the term " keystream" means a pseudo- 
random sequence of binary bits or blocks of bits need to 

2 5 suorpher ~ digitally encoded message or data signal prior to 

transmission or storage in a medlar, which is susceptible to 
unauthorised access, an RF channel, A >! keystream. 

generator 8 means a device which generates a fceystream by 
processing a secret key comprised of a plurality of bits. 

30 Encryption may be simply performed by a moduio-2 addition of 
the keystream to the data to be encrypted. Similarly* 
decryption is performed by a mo&nio-S subtraction of an 
identical copy of the keystream from the encrypted data. 

3:5 dene rally speaking; the keystream generator provides a 

mechanism, represented by elements 115 and 11 5' of Figs, 2 
and 2, respectively, for expanding a relatively small number 
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of secret bits, i,a, , the secret kef, 
elements 116 and 116* , into a satssfc larger 
keystraam bits which are thee used to encrypt data messages 
prior to transmission Cor storage}, To encrypt m encoded 
»®ssag*, the receiver must »teor the index to the teptrs® 
hits used to encrypt the message, Xn other words, the 
receiver must not only havs the same keystreas* generator and 
generate the same keys t ream Mts as the transmitter, but 
else, the receiver keystream generator must be operated in 
synchrom.&v. with the transmitter kayetrssm generator if the 
message is to bo properly decoded, Synchronisation ie 
normally achieved by periodically transmitting from the 
system to the decoding system the contents of every 
memory device,, euch as Mt, Mock or message 
count ere,. which participate in the generation of the 
keys t ream bits. Sy nchronismtion may be simplified, however, 
by using arithmetic bit Mock counters, such as binary 
counters, and incrementing those counters by a certain 
each time a a«* Mock of keys t ream bite is produced. 

s» a part of a real -time, i.e. hours, 
clock chain, A keystream generator 
relying on the latter type of counters is known as the 
•tisw-of-day driven keystrsam generator to which reference 



It should he noted that the precise method used for 
bit -by-bit or block-by -block advancing of the keystream 
generator, and the particular method used for synchronising 
the sending circuit with the receiving circuit, are the 

subject of co-pending patent application serial Bo* _ f 

entitled Con. nuous Cipher SVrrhr^,; ^t:on >Y >, CexliUar 
Communication System", ae mentioned above, The system of 
the present invention, as hereinafter described in detail, 
is directed to the efficient implementation of an effective 
encryption system which may he used,, for example, to secure 
digital communication over RF channels in a cellular 
telecommunications system. The encryption aye tern includes a 
key stream generator which produces a high 
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UBY&tmm bits per ssoond by perforating a large mmber of 
boolean operations per second on a plurality of .key bits 
contained in a secret key. The keystream generator of tb» 
present invention msy m i*pl*«*nted with an integrated 
5 circuit having a simple ol coprocessor architecture^ 

Referring now to FX a 4, a schematic block diagram of a 
prior art keystrsam generator way now be seen, ha optional 
block counter 201 provides a first multi-bit input to a 
oomMnatoriai logic circuit 202. A plurality of one-bit 

10: memory or flip-flops, cd, of, m3. . . am provides a 

second sanlti-hit input to the combinatorial logic circuit 
202. A portion of the output of the combinatorial logic 
circuit 202,- consisting of one -bit outputs dl, d2, d3, . , -an, 
is fed back to the flip-flops »l-»n. The outputs dl-dn 

IS .become the next state of the flip-flops sal-an, respectively, 

after each clock pulse in a serf as of bit clock input pulses 
203 supplied to the flip-flops By suitable 

construction of the combinatorial logie circuit 202, the 
flip-flops aa-wfe ffiif M to form a straight binary 

20 counter, a linear feedback shift register executing a 
maximum length sequence, or any other form of linear or non- 
linear sequential counters. In any event, each of the 
states of the flip- flops sal-am and the state of the block 
counter 20 X at the receiver and must be made equal to the 

as states of the corresponding: elements at the transmitter end, 
A reset or synchronisation mechanise* 204 is used to 
synchronise the receiver with Cho transmitter. 

With continuing reference to FIG, 4, a plurality of 
secret key bits kl, kl, 5s3. . - kn< fores a third multi-bit 

30 incut to the combinatorial logic circuit 202, The number a 

of secret key bits is usually in the region of a hundred 
hits plus or nines {*/-) a factor of 2, It is desirable 
that each of the secret key bits Jcl-ka should, at a minimum, 
have the potential of affecting each of the bits in the 

3S keyRtream- Otherwise, an eavesdropper would need to break 
only a small subset of the secret key bits kl-kn in order to 
decipher and monitor the encrypted data, rise risk of 
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unauthorised interception, hoover, may fee considerably 
recced if the v&iu© {logical stats) of ®acn hit in the 
Jnystr««« is made to depend not only w the value of s 
particular secret key bit, but also or, the value of ail 
other secret key bits at wall as tb® state of the block 
counter 201 ana other internal memory states. Heretofore, 
the establishment of such s dependence would have «nt*U*& a 
prohibitive natter of boolean operations. Assume, for 
example, that the secret key is composed of one hundred 
U00) secret key bits, if each of these secret key bits is 
to influence ever} bit in the to} stream, a total of one 
hundred (100} combinatorial operations per keystrea^ bit 
would be required mm,,, to produce ten thousand |10, 000) 
keys tree si bits, a total of cue million (1, 000, 000) 
combinatorial operati one would fee required and the member 
would be even greater if each keystream bit was also made to 
depend on on one or more Internal memory states, One of the 
objectives of the present invention is to significantly 
* 8 required number of combinatorial operations per 
bit while maintaining the dependenoe of each 
i bit on every one of the secret key bits. 
The production of many thousands of pseudo-random 
keystream bits from, for example, fifty (SO) to one hundred 
C100) secret key bite may be vimwt as a multistage 
expansion process. A plurality of expansion stages are 
cascaded together, each having » success xvely sexier 
expansion ratio, Expansion by the first stage is performed 
less frequently than by subsequent stages in order to 
minimise the number of required logical (boolean) operations 
par keys t ream hit. Additionally, the first expansion stage 
is constructed to provide a plurality of output bits which 
is highly dependant on. the secret key bits, further reducing 
the number of logical operations which must be performed by 
the subsequent stages. 

Referring nesqt to FIG. 5, there is shown a schematic 
block diagram of a keystresm generator system. A plurality 
of security key bits kl, fca, hi,., are provided as "input to 
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a first stage axpaasion 205, The security hey bits may be 
©&t*J ^ t rhe «maa « bits y an authentication 

algorithm as set iorzh further detail below. The 

security key hits ki, *2, k3. . - input may include some, .but 
preferably all, of the security key hits M, hi, k3> . - ka, 
f M'ta' so~ct.x.es i * ? erred to as "secret* key bits. 
a\— onal or oriior.a, inputs to the first stage expanse 
20 S W include the outputs of a message counter, a felosfc 
date-time stamp .represent lag the time or block 
t the start of a iraoe, or other variable 
outputs uhieh may be synchronised by the sender anS 
receiver, my internal output which varies slowly 

with time may be used as au input to the 
expansion £05, h slow changing input is ■ 
first, stage expansion "2.03 should 1 
&> g. t once per message. 

The first stage expansion 20 S 
output which is considerably larger in sise than the number 
of secret hey hits hi, k2, k3. , . The expanded output is 
stored in a «MOty device 20£ which is accessed by a 
c^biovxiai lorn a circuit 20?> The combinatorial logic 
207 perform a second stage scansion as more fully eet 
forth below, The output of a counter or register 208 forma 
an input to the combinatorial logic 207- The register 200 
is initial iced to a nwt starting state prior to the 
generation of each block of kerstream hits. An initial 
value generator 209 provides the starting state for the 
register SOS. The starting state., which will be different 
for each particular block of kevstream hits, is a function 
of the block number of the particular blook and, possibly, 
also & function of some subset of the secret key bits ki-kn. 

A first output 210 of the combinatorial logic 207 is 
fed back to the register 208. The output 210 becomes the 
new state of the register 208 after each cycle of operation. 
A second output 2.11 of the combinatorial logic 20? forms the 
keystream bite which are to be mired ulth the data stream as 
shown in Figs. 2 and 3, above. The number of keys f ream bits 
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produced pgr cycle at the output 211 may fee any multiple of 
2 < 16, 33, 56, etc. Such bits are collective! y 

ref«rred to as a » keyword", Some ox all of the keywords 
produced at the output 211 prior to reinitialisation of the 
regis tor 208 are grouped into a key block 21.2, The keyblock 
212 may, for example, eons 1st of all tl« teywrf 
in every cycle, or in mzxf other cycle, 
reinitialisation o£ the register 200, 

It will no appreciated by those skilled, in the art that, 
a conventional implementation of the keys tr east generator 
ays test depicted in Fta 5 and discussed; a&ove .might require 
a host of complex combinatorial logic circuits which, if 
realised separately by Interconnecting a plurality of logic 
gates, i,s, .MB, OR etc, ,. wshsM amount to a large and costly 
chip, useful only for a very specific application. An 
arithmetic and logic unit (MAI}, on the other hand, is a 
standard component of a earlety of ssall,. low-cost and 
multi-purpose microprocessors, 
provides a means for realising ell of 
combinatorial logic functions with the use of such a a ALU. 

The conventional &LU, operating under the control of 



SUBTRACT, Sl^xsE IXCLSSIB OB, MO, 0E between any two li- 
bit or i&~bit binary words, if the AX,u is used to 
sequentially implement all of the boolean functions rend red 
in the device of Fig, S f the ALy operating speed, measured 
in terms of the jtunber of complete cycles per second that 
may be executed, would to substantially reduced. The multi- 
stage expansion uses in the present system, however, 
prevents such excessive reduction of ALU speed by minimising 
the number of program instructions, Ls.,, instances of ALU 
utilisation., per cycle for the most frequently executed 
combinatorial logic 20? through the infrequently periodic 
calculation of a large number of key-dependent functions is 
the first stage expansion 205. By the word "large" in the 
preceding sentence, is mesnt, for example, an order of: 
larger than the number n of secret key bits. 
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Omm the register 208 is initialised with a stsrting 
value,, th© combinatorial logic 20? mil generate a stream of 
keywords at the output 2X1 and will contixme to 9«morate 
additional keywords each rime the register 208 is reloaded 
with the feedback value at the output 210, Difficulties may 
arise, however, which can undereine the integrity of the 
keyword generation process. If, for example, the contents 
of the register 208 ever return to their inirial value, the 
,> v : i ./ ! e cr >„ w * xv oe^>, s a* ed theretofore will repeat 
agaira Similar.! cy , if the contents of the register 208 
return to a value {not necessarily the initial value) 
previously encountered la the generation of the current 
ksyfeXoek, the system is said to be "short cycling". For 
reasons alluded to earlier, a. g. , the ease of unauthorised 
a - osmesis he sequence i e 

should begin to repeat, or that short, cycling should occur, 
within the feneration of a single keyblook. Moreover, if 
the contents of the register 268 at some point, say after 
the *th keyword is generated* become equal to some value 
which existed or will exist after the m s th keyword during 
the generation of another keyfeXoek, the two keyfeXocks will, 
from that point on, fee identical —also aa undfesu rahis, 
occurrence. 

Hence, the combinatorial logic 50? sue the associated 
register 208 fthe » combinatorial logic/register 
oombi station" ), odea operated successively a number of times, 
should Ci) not produce cycles shorter than the number of 
keywords pes block; and ill) produce a unique keyword 
sequence for every unique starting state of the register 
208, To meet the latter requirement, no two different 
sr.art.iag states should he capable of converging tc tfee same 
state, r 03 b - *e forae requires 5 

should apply regardless of the contents of the memory 206. 
As explained In more detail below, the present invention 
alleviates these concerns and enhances the integrity of the 
keyword generation process. 
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mm& tm ftat® tr&asiticm diagram of the oossbinatoriaX 
logic/register combination has converging forks, the 
combination ssay not be sua in revere through such, a fork 
bsssuss of the ambiguity stout wMsh path to toko, 
Therefore, if a proems for ope.rati.ag the combination can be 
shown to be unambiguous or reversible,, it is proof that 
converging forks no not exist in the state transition 
diagram Such a process is described and discussed klw,. 

Referring next to fig, 6, a partial schematic block 
diagram of the second expansion stage of the keys t ream 
generator shown in fl&.. 5 mf SOW be aeen* The register 2oS 
of FIS* 5 has bear diyid&d into three byte-length registers 
in FX<§, IL fh* registers 206C 
may be, for example., 8 -bit regis tare. Following 
initialisation of the registers sos*, 208B, and 208C, new 
state values are calculated from the foil owing formulas; 

CU A' « A # {*(*) *■ K(Ci) 

m s' • b # 

C3-) c* * -c + i 

where,. 

■A*- is the new state value for the register 2»&&f 
S' is the asv state value for the register 208B; 
C* is the new state value for the register 20SC.; 
A is the current state value for the register 20SA; 
B is the current state value for the register 20 SB? 
is the current state value for the register 2080; 

* weans word -length ssodulo additions,, for example, 
byte wide modulo- 2 56 additions; 

# means * fas defined above} or .bitwise Inclusive Da 

&{B| is the value & located at address B of the memory 

206 shown in FIG, S; 
KCC) is the value K located at address C of the memory 

206 shown in FX<3< S; 
it should be noted that each of the values K stored in the 
memory 206 has hear previously calculated to be a complex 
function of ail the secret keybits by the first stage 
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Bxp&mton 205 shown in FIG- 5. a(A)is the value located at 
address A is a look-up table E which may ^ the &&m 

tible *Meh is ascribed below la connection with the 
contests of the S~Box use ir the authentication &l$ox±thm> 
S alternatively, the bits of A are supplied as iaputs to a 
combinatorial logic block which will produce so output R. 
The look-up table E, or alternatively, the combinatorial, 
logic block should provide a number of output hits greater 
©r~ equal to the word length of A and 1m® or equal to the 

10 word length of B> la the case where a and B are both 8 -bit 
bytes, for ©xa»pl», R will also be an 8 -bit byte sM the 
look-op table R will contain 256 values. 

The value * should haw a i: 1 mapping from input to 
output; that, is, each possible state o£ the input bits 

IS should map no a unique output value, This axis-urea that the 

r function is reversible which, in turn, ensures that the 
whole process may be reversed by weans of the following 



relationships; 
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b * * m m m 
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oduio subtraction; 
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as the inverse 


operation of §, i.e., either- 




(as 


defined above] 


or bitwise KOK;. and 




is 


the inverse of 


the U i look-up table, or the 



combinatorial logic, It 

This reversibility demonstrates that there are no 
converging forks in the state transition diagram of the 

30 combinatorial logic/register combination and, banco, 
guarantees that every starting state oil! produce a unique 
sequence of keywords. Furthermore, the process guarar.ro ss a 
oinimuo cycle length, since C is incremented only by I ana 
will not return to its initial value until after 2 V 

35 iterations, whera v is the word length used. For erample, 
if ail of the values h, B, C f B. and K are S-bit bytes, the 
minimum cycle length will be 2 56. If, upon every iteration 
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£ cycle), a keyword (byte) is: lits^ a total of 256 bytes 
extracted without the danger of ^lEitws repetition 
of the *n mm m x If, on the other hrnm, the keyword is 
extracted every other iteration, a total of 128 keywords nay 
be extracted without pasture repetition of the seguenee. 
By the word "extracted* in the preceding two sentences, ia 
meant the collection and ;plasanenf of keywords into a 
.keybiock such as the keyblook 212 in km S, A particular 
method of keyword extraction, which may be used ie the 
present invention is described immediately below* 

in connection with FX 8. S, a process was describee for 
competing the outputs 210 of the combinatorial logic 20? 
which ere fed beck to the register 2og s Snneraliy spemkiiifs, 
any one of the intermediate guaakities & f B or C may be 
directly extracted end used m a keyword on each iteration* 
betting $ * {A s B, d) stand for the current state of the 
combinatorial logic/register ee^n-ation, the combination 
will transit through a sequeace of states BO, at, &2, S3, 
S4 f B% 86* following initialisation to S0» it, 

however, in the computation of a subsequent keyblook the 
register 208 is initialised, for example, to S2, the 
resulting sequence m, $3, 84, SS, 36, B7.*> will be 
identical to the first seguanea but shifted by two keywords 
W* Si). Therefore, if s value h, B, or € frost a state §• 
is directly used as a keyword, such an identity may appear 
between different keybloeks. To present this, the system of 
the present invention modifies each of the values extracted 
in accordance with the walna* s position in the keyklook so 
that if the same value is extracted to a different keyword 
position in another block, a different keyword will result, 
hn exemplary netted tor achieving the latter objective is 
set forth below, 

bet n be the number of keywords in the keyblook 
currently being computed and $ * (A, a, C) be the current 
state of the register 208 in the iteration during which the 
keyword N is to be extracted* The waiue of the keyword W x m 
may be calculated as follows: 
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where, 

* means 1I0K; 

*< means either * (as defined immediately above} or 
word length -oodalo addition. 

Other suitable exemplary methods for keyword extraction 
may include the following 

WCH) * B + |C[5tCA * HJ 1 OS 

W£S) « Kin f Mj * KlB * $] and so forth, 
It is recommended that, to obtain the test cryptographic 
properties in the system the mines of the keywords 
extracted should he a function of their respective positions 
within a keyblook* 

Baving described an encryption system which generates a 
large number of ooqp&tfS, &»£~£«p«i*a*»t pseudorandom .(HI 
bits for utsa in m®&p&&xixn® fcata and which ®&.y be 
implemented la a conventional moroproosssor, & description 
of a system, which- integrates the encryption and 
a uthenti cation functions and improves the ©trerall security 
of a digital cellular system is set forth imediateiy below. 

The process of authentication according to the present 
invention generally involves the following seguence of 
steps; 

(1) fh« mobile station- identifies itself to the network by 
sending a mobile identification number (MIN) in 
unencrypted form so that the network can retrieve 
information pertaining to that mobile, e. g\ , security 
keys, from the location or database in which they are 
stored, 

(2) I s etwork transmits s - " ;ka sngs ig si EA1£ 
to the saohila, 

{3} one mobile station and the network each uses bits of a 
secret permanent authentication key, known only to the 
oobiie station sun the network and never transmitted 
over the air, in order to compute a response signal 
(EBSP) to the Radio in accordance with a published 
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algorithm (referred to hereinafter as AOrHi ,h The ms$ 
generated at the aiobiio station is transmitted to the 
netv?orh> 

(4) network comparer the received tr<s* the mobile 

S station vitn the internally gyrated version and 

c a he r i tation access for registration 

initiation of e call or racepfion of a call only if the 
cosvparison succeeds. 

in XS-54, the W is a 34-bit binary word wMch is 
10 ~* r *^«*- f *»* th» mobile srataoa* « 10 -digit directory 

telephone number, i.e., ares node and telephone number, See 
JS-S4, §2.3-1 at pp. ?£-?o. The »Mlfi station stores - «, 
Mt value in a ranao-n challenge memory ^hich represents tha 
last mm received in a random challenge elobai action 
%$ periodically appends to the overhead oarage tr-.s, 

Th* noblU station ua as these messagas to update the random 



ge memory, fhe prosant ?*lm of the las is used as 
an input to tha authentication algorithm AOTHl. Sea 3S-S4, 
§2,3.13 at pp. 83-84, Xn the rahd is 

so tranamtted to to tha mobile star* on before rU a ,v; w 
station transits the MIS and only one baud is in use for 
ail the mobile stations, including falsa mobile stations, in 
th ® m *™>* k *»Y particular tiaa thereby roduoina ten 
level of security in the eystam. Moreover,, siaea the uun> 
25 is known to the mobile station in advance, the R£SP is 
preealeuiated and transmitted to the network along with the 
MIK. The netwsk, hovever, could not have prnoaieulated r.ha 
ms * ^bhout receiving the MI?? unless the mobile station oas 
previously registered in the netwosfc 

The authentication bey used in the mg»i of the m~M-. 
system consists of a personal identification number (pik) 
vmich is a secret nurhar managed by the svstsm operator for 
each subscriber, 'the XS~$4 AOTHi also usee a factory-set 
electronic serial number CSSH) which uniquely identifies the 
mobile station to any cellular system, *h* RES 3? computed by 
the is-54 *0rHi depends on, (i) the PI K; (ii) the IBB; end 
Uii) tM aiel<sa ^TitB (for mobile originated sails) cr the 



mm (for mobile terminated calls), S?he RSSP transmitted by 
the jaohila. station according to IS- 34 consists of the output 
of AVTHX i .> CIS bits) toother with a random 

confirmation t&&a&C) <S Mts) s which depends on 8&N», for a 
total of 26 hits, Ho crypto! ogical distinction is mads 
between AUTHR and and each of fchsse values may depend 

on the values of RAHD, PIS, ESS ana perhaps the called 
m; -:>;::?:. Thus, AOTHS and HASBC may be regarded as merely 
cons ti toting a 26-bit REaP, the nature of which is 
determined by the algorithm hSTHi which is used, 

*£h® esc of the dialed digits, in accordance with 
to affect the RES? in the ease- of a mobile originated call 
set-up has certain undesirable or noteworthy consequences 
which are listed below? 

U) Since the dialed digits cannot known to the network 
in advance, the network cannot praeai relate the 
expected RESP to a given mm for any particular HX& 
Hence* the authentication algorithm Atnail cannot be 
executed until toe dialed digits are transmitted from 
the mobile station- to the network possibly delaying 
call set-up. On the other hand. If the dialed digits 
are not included, the sia^se mobile station will produce 
the same RBSF for as long as the BJkHP remains 
In each instance., it is possible to 
id use the RBSP to place a fraudulent call 
and, thus, to defeat the basic reason for having iUH'Bi 
at all. 

(2} 8a« of the dialed digits as an input to AtHPHI precludes 
the hone network from generating R&HB and 1BSP pairs 
end sending thee to visited networks in advance, 

(3) Such use also precludes the advance precalculation of 
R*8D and aSSP pairs in general, which may be desirable 
to save time at call set-up* 

i4) Such use implies some assumptions about inter -network, 
security-related! coders! cations anc/or the location of 
the authentication function.. In particular,, it implies 
either that the home network transmits the secret key 
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{and the SSh) to the visits wtwrk so that the 
vi sited network may perform authentication or, 
alternatively, that the dialed digits ere sent on each 

from the visited network to the 
that the home 

*ed to : 

subscriber misuser in i 
(S) Since the dial an digits 

unencrypted for®, according to IS-54, a false moMl« 
station may be able to piano a call to the same number 
and then, through a • flash* or aonforoncoing procedure, 
connect to another number ©f his choice, 
(6} In at least One agisting network, it has bean deemed 
naoesaary to introduce Called Subscriber Identity 
Security, i. e. , masking the dialed digits* in order to 
prevent certain abuses aed the definition of mym 
should accomodate s«o& r&guirssd masking, 
Tfca system of the present Indention addresses all of 
the concerns listed abo^e h$- defining an algorithm A0$K1 in 
which the dialed digits do not affect EESP* Any weakness 
caused by the exclusion of the &UXed digits from MiTHI, for 
example, the generation of an identical ESSP m long as EM5B 
remains unchanged, is compensated for by da fining a second, 
optional, bilateral authentication step which may be 
available on the traffic channel. further safeguards are 
provided by the process of encryption of the traffic data. 
It should be noted that the present invention may be used 
without substantially changing the specifications of X8~S4, 

Regardless of which location, the home network or the 
visited network, is considered more convenient for executing 
the ae-caenti cation algorithm, acme exchange of security- 
related subscriber information between the networks is 
unavoidable if authentication or encryption is to take 
place* in the IS -54 authesti cation procedure where the: 
visited network periodically determines end broadcasts the 
EAhtl if the authentication algorithm is executed in the 
home network, the visited network must transmit at least MX 
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and mm to the home artwork is order to receive an SESP and 
a temporary security encryption key CS-ke.y or call 
variable k On the other hand, if the authentication 
algorithm is executed in the visited network, that network 
S must transmit at least £H to the home network and the home 

network must, in turn, transmit to the visited network the 
authentication hoy, the BSM iif 2SN is need in hl'im) and 
the permanent encryption key.. From a security standpoint, 
it is undesirable for the home network t© release a 

10 subscriber* c permanent key mutely on demand by a visited 
network. Such keys should constitute the subscriber- s long- 
term security guarantee rather than a short-tare ceil 
variable. It is, therefore, more desirable that the home 
network, upon receiving from the visited network the Mis' of 

IS a visiting mobile station, the E&ND broadcast hf the visited 

network and the m$$ received toy the visited network thorn 
the mobile station, generate a short-term (temporary) 
ciphering key (S-key or call variable } and release the S-key 
to the visited network only if the BBS* is d«*»e« valid, 

20 Execution of the authentication algorithm in the home 

network allows the authentication algorithm to use the long- 
term {permanent) secret key, referred to herein as the A~ 
hey, which is unique to each mobile station. The k-key is 
never released outside the home network and never used 

as directly for enciphering tout is, instead, used for 
generating a short-term encryption key, referred to herein 
as the s-key. Th& S-key is used only for a limited period 
of time to be determined by the visited network, If the 
visited network has already acquired an S-key for a 

30 , fN o « a mobile station performance 

of the first authentication step is options! and call set-up 
may proceed directly to the enciphered traffic channel. 
Hence, it is not necessary for inter-network exchanges to 
take place every rime a visiting mobile station places a 

35 call, if, on the other hand, the visited network decides to 
request an hhTHI first authentication step, the mobile 
station and the home network will use the current RkND of 
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the visited network to generate & &mt S~k*y< with other 
inputs to the AOTHt algorithm feeing unchanged, 

Referring now to FX a 7, a pictorial representation of 
S an authentication algorithm according to IS -54 may now fee 
seen, Wh«n a call is initiate fey the mobile station, the 
mobile station uses its or authentication key, its mm, 
the mm and the &U1»<| digits to compute a response to m.m 
in accordance with an authentication algorithm hUTKb ^te 

10 mobile station then transmits to the network the output of 

&wmi (Avmrz) together with random confirmation (sajfOC), the 
dialed digits, ths mobile station-' s individual tail history 
■parameter {COBKT} and the Mm. The consequences of allowing 
the dialed digits to affect the authentication response 

15 t AOTH.R and BAHDC} in mobile originated o&lls vere discussed 
above and are deemed u&daslrsble. On ths other it wm. 

considered desirable to accomodate the possibility of called 
subscriber identity masking. In ths ease of mobile 
terminated calls, little is gained fey using MIM to affect 

m the authentication response,. ainoe the FlP/key ie 
suff i cisntiy mohil e~speci£ let 

Eel-erring now to FIG. a, a pictorial representation of 
an authentication algorithm actor-ding to the present 
invention may be seen, neither the dialed digits in the 

25 case of mobile originated calls , nor the MXH in the case of 
mobile terminated calls, are used m input to aOTB X . 
Pother, the output of ADTH 1 according to tee present 
invention includes sot only an authentication response 
(BBSS), but also a called subscriber mask which may be used 

30 to mask the dialed digits in the case of a mobile originated 
call, & particular embodiment of AUTH 1 is set forth and 
explained below, 

A mobile station may be borrowed, stolen or legally 
acquired and its entire memory contents may fee copied, 

35 - > N secret keys ?ib' < o«es etc , and used to 

manufacture a number of clones, 'The cloning procedure may 
he quite sophisticated and may include soft-ware 
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modifications which replace physically stored 
reformation with electronically stored information so that & 
auabtx of stored mobile station identities saay by oyelinally 
rotated within one false motile station and used to imitate 
several genuine mobile stations* 



enabling the network to identify whether closes 
ceil numbering, a modulo- 64 count ia kept in the 
station and is incremented after fcacfc coil or 1 
by the network* k similar count is also kept in the 
aetwsk, The .mobile station transmits its call number to 
the network at call step-up and the network compares the 
Witte tbe internal Xy generated version.. 
«v«r, may fail tor one of 



(15 The mobile station stay nave failed to update its call 
count after the last call because of an abnormal 
termination., such as a power failure. 

C2) The mobile station may have updated its call count but 
the network did nor secern confirmat o? th > ths 
mobile station had done so because of an abnormal 
termination. 

(3) A clone mobile station had placed one or more calls and 

stopped up the network counter. 
{4} The mobile station is itself a clone and the "real" 

mobile st&UOi had., munvbilc. stepped up the counter. 

Unfortunately, the call counter is too easily modified 
in either direction for the network to determine which of 
the ereeediaq conditions has occurred ant the network nay 
thus .be forced to deny service to the mobile station. To 
avoid such a drastic result, the mobile subscriber may be 
given an additional opportunity to manually identify himself 
or herself to the network by, for arstaple, keying in a short 
secret number which is not stored in the mobile station 
memory. The system of the present invention provides 
another anti-olonirc safeguard based on a dynamic " rolling 
key" which is stored in each of the home network and the 
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«0Mls station and which is used »loug with the permanent 
secret key for calculating authentication responses sad 
temporary encryption keys. While such roll log keys: hm&. 
been previously used for authentication &l®m t they not 
5 beer employed to produce both authentication and encryption 
parameters, 

?he principle behind the tolling key concept is to 
require cartel a historical information in each of the 
network end the mohils station to snatch as a means of 

10 protection against clones and as an alternative to requiring 
complex and expensive physical protection of motile station 
msmories. Specifically,, in order for e clone motile etation 
to gain access to the system, the clone would be required, to 
intercept the entire history of authentication challenges 

15 subsequent to the time of serving the then current key state 

of a genuine mobile seat ion. According to the present 
invention, authentication is carried out in th* horn* network 
using a coord nation of a rolling key, referred to herein as 
the »-3»y, which coat alas historical information, and the 

30 permanent secret subscriber key {k-keyh tMch is never used 
directly in an encryption algorithm but is useo only for 
generating one or more operating security keys, ^he 
euthanri cation algorithm of the present system also computes 
a new value for the roil ina key which becomes the current 

:15 value of the roiling key whenever the mobile station and the 
home network agree on an update. Such, an update smy he 
triggered, by a request from the visited network or the home 
network for execution of a bilateral authentication 
procedure as further describee neloo, 
:t0 The roiling key update my be performed at any ti»® 

daring a roxicere s tion that the visited network decides to 
update the ceil counter in the tore network and the mobile 
station. Before updating its call counter, the home network 
may request a bilateral authentication of the mobile 

35 station. A correct response iron; the mobile etation would 
then result in a call counter update, a rolling key update 
and the generation of a new conversation security key £S~ 
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key) which is eent to the visited network for use in 
subsequent: sails, Similarly the mobile station may update 
its call counter only if the bilateral authentication 
procedure verifies that the visit** «et«rork is in genuine 
contact with the home network, Upon verification the 
mobile station also updates its call counter and rolling key 
(B~key) and generates a *m conversation security key (S~ 
key) for use in subsequent calls »em3 by the same visited 
network. It Mty ha appreciated that., because the call 
1 the roiling key are updated at the same time, a 
of the mobile station and the home network call 
; ay else serve as an indication of whether the 
station end home network are in the same rolling key 
state, 

SI lateral authentication, i. », , authentication of both 
the mobile station and the network, may be distinguished 
from unilateral authentication in that the authentication 
information ««nt in both directions is key-depan&e&t in the 

W former, whereas only the information sent in the direction 
mobile station to network is key~depeodent in the. latter. 
According to the present invention, the S&BD signal ia used 
as an input to an authentication algorithm mW2 which 
generates a long EESP signal, part of which is cent from the 

SS network to the mobile station to validate the network and 
the other part is sent by the mobile station to the network 
to validate the mobile station. For erampia, the algorithm 
AUTH2 could compute a BSSF from the ROT and then proceed to 
use the as a new input to the algorithm MP1K2 

30 which then computes a EBSPBIS signal. The network transmits 
the end the to the mobile station which uses 

the mm to compute a RBSF and a SESFB1S in accordance with 
the A0TH2. The mobile station will send the internally 
generated KOT to the network only if the internally 

3 5 generated RISFBXS matches the RBSFS1S received from the 
network. This prevents a false base station from extracting 
RAHD, pairs from the mobile station and the 
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verification of the mobile station sM network identities 

allows security status updating to proceed at a c«r,vem«at 
later point in relative safety, 

S When enciphering of comnuni cation is des irad in a 

visited network the ciphering key most be eoojmnleatad from 
the home network to the visited network, As mentioned 
heretofore, it is? highly undesirable for the permanent 
secret subscriber it-keys to circulate between networks on 

.10 non-special ly protected links.. Instead, and in accordance 

with the present indention, the homo network never releases 
the A~key of a qimn subscriber mot osly uses the A~3tsy to 
generate a temporary taik»variab.ie security key (S-key} 
which is than used to g ©strata a pseudo-random keys t ream for 
: : |;5; : : enciphering a particular call or group of calls, It should 
be understood that the "secret Mf* referred to in the 
earlier discussion of t&« pseudo-ramdois k»y»trea» generation 
rachcique of the present invention represents the S~kay 
which is directly used for encryption and not the permanent 

SO secret A -key from, which the S-key is derived. The s-Jeey is 
calculated and sent from the home network to the visited 
network upon receiving g Clf, a MIS and a EESP which are 
valid. 

Since tha S~key is calculated at the same time and by 
if the same process as the authentication ohallang a -response 
signal (RSSP), successful authentication ensures that the 
network and the mobile station will have the same 
enciphering key <5-key) and, consequently, the enciphering 
of user data nay begin as coon as authentication has bean 
30 completed. it may thus he saen that the linkage of 
authentication and enciphering in the systsn of the present 
invention reduces the aumher of different security-feature 
combinations that must be identified by the mobile station 
and the has a station iron four {4} to two (2), 

The talk-variable £S-key) nay ba generated as a by- 
etc- ct of the same autbu iticaticc algorithm which prodne®§ 
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the EES? sma RESSBXS parameters 
de.x-d ou^^ fxo- an .q. -.tn- > oy * <- ~ ^ CD 

sufficient bits to maek the e«; « a subscribes numbsr; and 
(il) the next state of the rol.li.s9 key CB~hey} wfaic* 
replaces the current state if the network has bean validated 
by bilateral authentication ana/or the call counter update 
fomwB^d has bean iesuefL 

By way of exar.pl* m& without any limitation on the 
teachings of the present invention., the following rati* 
iirmatrafes a bit and byte count £os one algorithm ~> tputs 

EESF ~ 23 4 

CALLED S?<t MMSK S 
S~bay ^4 § 



Btm 2S6 Km BYTES 32 

The foil owing table ill us tre tea a bit ana byte cot at 
for the algorithm inputs: 



***** *m 16 

B-key m 8 

RA8D W 4 

DIaiSD DIGITS 0 0 



TOTAL BITS W «Qtt$£ 

Sis values depicted anova ha^s bean deliberately 
rounded up to give an algorithm baying a 32-byfe input and a 
33 -byte output, if shorter variables ere used, they may be 
expanded wrth constants. en algorithm hating the above 
input and output byte counts and which is suitable for fast 
execution by byte-wina operations in a simple 8 -bit 
microprocessors of the type commonly found in mobile 
stations, is sat forth below in a separate saction entitled 
definition of authentication Algorithm. !! 
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The prsgsnt. invention promises two steps of 
authentication which stay he. used at the network operator* s 
discretion. The first stap has sssn referred to as umi in 
the preceding description. The algorithm set forth in the 
section eatltlad Definition of Authentication Algorithm may 
he used tor AOTHi, In $mh algorithm, the dialed digits do 
not affect the outputs. The IS-hit MS® broadcast on the 
control channel is used and included twice to provide a 32- 
bit input The algorithm output parameters include the EES* 
end the Mln which may be sent by th» mobile station to the 
network on the calling oJmnnal aM the call variable Cs-key) 
which May fee used for emoiphering user data ism?ediataiv upon 
switching to a TDMn traffic channel. An additional output 
for maskine the called subscriber 
of mobile originated calls, this 
from the home network to the visited 
network so that the called number can be unmasked, 

The second authentication atop, referred to as AUTH3 in 
the preceding description, is a bilateral authentication 
procedure which may be carried out at the network' a 
discretion once communication has bean established on the 
traffic channel. The purpose of the bilateral 
authentication step is to trigger a rolling key (B-key) 
update in both the mobile station and the home network 
while, at the same tiwa, validating them to each other and, 
thus, preventing certain feros of falsa base station attacks 
on the security of the system. The algorithm for ASTH2 is 
exactly the same as the algorithm for AOTKt set forth below 
in the section entitled Definition of Authentication 
Algorithm, except that the mm value is determined by the 
hone network and sent along with a RBSPBIS to the visited 
network and, there f roe, to the motile station. If the 
mobile station validates the E5SPBI3, the mobile station 
will send a ESSP to the visited network which sends the RESP 
to the home network. If tne home network validates the 
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RESP, the hoase network will send to rhe visited network an 
s»key wbieh may be use& for the mzt call. 

Referring now to FIG. S, there is shown therein a 
pictorial representation of a spoils osliular syst<» which 
uses the auth«fiti cation algorithm and encryption teeiuusns 
of the present invention. For convenience, only one mobile 
station, one visited network and one home network are 
ill-us tra tea in FIG, 9 although it should be understood that 
a number of motile eta tiers s visited networks and home 
networks are usually found in practice. The following 
abbreviations, as seen in FIG, 9, are of the following 
terms: 

At and A3? KVTtii and respectively 

A3? Encryption technique in accordance with the 

present invention 
I VCDs Initial Poioe Channel Designation 
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in FIG, 9., the visiting network periodically broadcasts 
a mnm value to all mofeile stations within its service 
area. Each of the mobile stations computes a response 
which is sent along with MW and the call history parameter 
CO0ST to the vi sired network (note that in some applications 
the KEBPi, HIM anci COtiT aav be sent separately 1 The 
vitsi ted network req i * ay) for e 

particular mobile station from the mobile station' s home 
network. The home network compares the received response 
EtSH ; i with the parameters it has attained hy applying EhiiDi, 
ESP, A-key and S~hey to the authentication algorithm Al and 

whet , 1 b stioJ an n vshm ~r 

the hone net-work releases a temporary enciphering key C8~ 
ksy) to the visited network. If the visited network does 
not receive an enciphering key, the visited network may deny 
service to the sioMle station. 

If the visited network grants access and assigns a 
channel (or a control channel in some applications) to the 
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mobile station, the prssstsrs defining that channel, i.e. 
*r»«u*aey, tlm&lot aad SYCC, are ««at from the visited 
network to the mobile station which tunes to tfes allocates 
traffic Cor control) channel. Therm £tar f the visited 
network and the mobile station may communicate in the 
enciphered mode vising the S-key. The visits network sands 
its frame counter value over the unencrypted CACCB end also 
sends frame count synchronisation messages in a fixed number 
of unencrypted FACCH meesages as describee., in the related, 
eo-penai.ng patent application entitled i! Continuous Cipher 
Synchronisation for Cellular Communication System" , referred 
to and incorporated fey reference above. Further exchanges of 
FACCH signalling or traffic amy take place in the enciphered 



Once the moMle statins and tbe bag* station have 
established communication on the traffic channel, the 
visited network may, at any time, reguest the execution of 
bilateral authentication and roiling key and hall 
update by sending to the mobile station a M2 and 
received from the home network. The mobile station mm the 
hahtia, h~key and S~key in A2 to generate the expected 

and RESP2. IF the internally generated HBSF3 agrees 
with the received 'RSSP3, the mobile atation sands a EBSP2 to 
the visited network. The visited network sends hs$?2 tc tne 
home network and, if the heme network' s internally generated 
IBM agrees with the received RBSP2, a newly calculated 
call variable a -key will he sent from the home network to 
the visited network.. The visited network stores the S~key 
for use in future calls involving the visiting mobile 
station- The present call continues to be enciphered with 
the old 8-key. Open handover or call termination, the new- 
s-key will, come into use. 

-^c^r«lss^ktihi 

The authentication algorithm of the present invention 
may fee used for both authentication on the calling channel 
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(hUTHl) and bilawral authentication on the traffic chawl 
- Sxcmul r> ol'.na . i-e slqcr uhm xs st^sn for 

some sosws microprocessor implementations, in the 
description vhxch follow,- certain byte counts have bra 
5 ofeosen for the input and output variables of the algorithm. 
It should be clearly understood, &©wwr> teat such byte 
counts are exemplary only and are not intended and should 
not be construed as a limitation on the applicability of the 
present authentication algorithm. 

The algorithm of the system of the present invention 
mm & total of 32 hytm of Input signals and generates 32 
bytes of output paramatots. 'Phis is aohiavmd by two 
^plications of an algorithm wMoh mm U .bytes of input 
IS uariabiea and generates 16 bytas of output variables, The 

i np u t v .» r i a b 1 a a a re ; 

to 4 byte* 1 M~ 

for up to 4 bytes 1 VARIABLES 
y C*V4?ay) J SKCikP 
rolling hey {B~key} ] 

tar use tithing the 

0-3 s Authentication response (RES?) 
4-7 t RES Pi Li Ineaded for bilateral authentication) 
S~1S % Called subscriber number mack (if used) 
16-23; Sesct St if hay update occurs 

34-31: Tail, variable lor enciphering this call (S-hay) 
The 32 hytes of input to the algorithm are split into groups 
of 16 bytes which are than used in the first application of 
the algorithm to produce a first 16 bytas of output (bytes 
0-15}, The 32 bytas of input are then split in a different 
way and used in the second application of the algorithm to 
produce a second IS bytas of output (bytes 16-31 )> 
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The present algorithm (sods) is adapted for very 
efficient and fast execution on simple mioropj > ssors of 
the type used in cellular radio telephones, Recursive use 
of a small inner code loop serves to confine the code within 
a 100 "byte region. The Outer loop consists of iteratiuely 
executing a mixing pzoe&m five items. The mixing p%&tsmm 
is illustrated in FIG, 10. 

Eef erring now to Fid, 10,. there is stow therein a 
schematic block diagram of th® miring process used .in the 
authentication algorithm of the present invention. The 
siixing process 300 is provided with a first input of IS key 
bytes and a second input of 16 input bytes. The 16 input 
bytes to the first iteration consist of the 4 bytes of RMtD, 
4 bytes of 1SH and th& 8 rolling key hytes Xb{0-7), in the 
following order? 

mm 4 bytes Ca 1 6-bit mm is mp®&£®$. twice) 

B8V 4 hjtm 

Kbll) 

Kb{3) 
Kh{4) 
Kb(5) 
Xh(6) 
Kb{7) 
Kb(0) 

•The 16 key hytm MtitLtzh are provided as input to each 
iteration of the mixing process are a cyclic selection from 
the S rolling key bytes Kb (0*7) and the l€ permanent key 



bytes KaC0-!S}, In the first application of the algorithm 

the order of use of the 16 key bytes is as follows c 

1 laCO) ™> RaflS) 

a KMC) > Kb{7)j K&{0) • > Ka{7) 

3 K«C6) > K&C15)! Kb(0) ~-~> Kb£?> 

4 13514) > Kb(?b K*<0) — ~> Ea(!l) 

5 Ka(4J — > KaCIi); Pb{0) Kb{3) 
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The above key sequences mny be obtained simply by 
sopping the key variables to a temporary sectary ares in the 
order Kb, Ka, Kb again, and selecting them sequentially from 
this memory starting at the appropriate glass for each 
S iteration. 

The mixing process 30O combines the 16 key bytes sad 
the la input bytes in pairs using, for example, byte-wide 
add instructions. The mixing process 100 also uses a raudom 

10 J; i substitution boa or look-up table, referred to 

.hereinafter as an S-Bor, to convert a one byte value to 
another one byte Talus*.. Sfc* S - -* p. : - t a so o 
look-up table used by the keystream generator of the present 
system and discussed above in connection with PI OS, 5-6 as 

fig the source of the parameter E« The S~-Boa may be implemented 
by a 3 56 -byte read-only memory fPOM) which may be included 
in microprocessor program mmr?* .& U I S-feost mmm that 
every 8-bit input value produces a unique 6-bit output 
value, or stated differently, wry possible S-Mt value 

20 occurs only once in the table. 3?his is desirable in order 
to avoid an uneven distribution of values, In certain 
microprocessors, the programing task may be simplified if 
the S-box is configured to lie on a s5d~byte page boundary 
so that addressing the S-bo>: would regal re -manipulation of 

25 the least significant address byte only. 

Referring neat to FIG. Si, a schematic block diagram of 
hoi d og aloe o.t Iscing cell of the miring process may 
now be seen. The mixing process may be generally 
constructed from a plurality of sdxiaf ceils or inner loops 

30 oi the type ahoua in FIG, 14, The particular mixing process 

300 shown ia FIG, 3 0 may .he visualised as a vertical, stack 
of 15 such miring cells, Each of the cells is provided vita 
one key byts and one input byte which are added together by 
an adder 310, The output of the adder 310 la used to 

35 address tbo contents of an S-boa 320 which releasee an 
output byte stored at the address defined by the output of 
the adder 310. & software implementation of the miring cell 



vcrtimt/miB 



or Ixm&r loop is sat forth oeloo far both "Intel" «a 
"Motorola** architecture microprocessors. 

seoond application of th* ai*orith® generates a 
5 second group of i6 output bytes which may .he use<S for the 
convfevaation key {S-key}, and, if performed, update of the 
roiling key (B-key or Kfe(o-7), second application of 

the algorithm is exactly tfee sasso as the first application 
except for the order in which the key bytes and input bytes 
, ID are need. In the second application of the algorithm, the 
order of nee of the 16 J?ay bytes is m follows 

$ KbCO) -••-> KWh K»(0) ~~~> K&{7) 
S — > X«{15}f KbiO) ~~~> Kb{?) 

If 3 Kb (4 1 ~~~> KbCT); KaCD) — > KaCli) 

4 Ka(4) — > XaUl); Kb(0> — > Kb(3) 

5 mm — > mm 

additionally, the ld~byte input array Is initialled utistg 
la fcytes instead of £b hftm m follows* 

ao mmm 

MB ft) 
BSN(O) 

ESN (3) 
KaC?} 

30 Ka(§} 
Ka(10) 
Ka(ll) 
Ka(X2} 
K*U3) 

KaC 14) 

After ©xeet*ti»f all five iterations of the second 
application of the algorithm, the oocono $ bytes appearing 
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nihe vbvte put am} re - J . s ; hc wmpooin eneipk og\ariabk S-ke\ us J 
h , > , o 1 tevtro i ^ ^e w upo h 5 '» o 
is performed. In the event of a roiling key update, the fits! 8 output byies overwrite 
thee to m a we n >_ofiu r^'W^^' ^ } 

mm. 

The contents of the S b is be ^ exes pfer } o ih and are | iven 

m Mher explanation of the aadKatfcaikm and encryption system of the pre»i 
moiuoi \n - on si* * ^ >t t n }k k -fMVoafeM^ 

Pe Mne a^K^^oo p « < \ et \ nwtuiiih' » } ^ 7 » 

^ v •> * contents of the S-dox 8 re expressed ;r; hexadecimal o o< below. 
rte p r <vre ivahu-->;)? * beg >- adores ot t e ROM 

trc r r c . ^ * ? e * ~ - < < ' * ^ > UVs 

i ata are stored to the folios g I? prions o he ROM j pcedveb 



|00) 30 02 Ft C8 OH at 08 fC AS Fis 9A SI 10 4A 3C 54 

{10} CB F9 CO 7? 20 S3 F5 66 E2 EC 69 7! EC 4B 4S SS 

(20} SC 04 89 K 7S U CA 99 AD SB 91 AO 9C Bl BA 2C 

Cm 5.F 94 9? 06 4D AA 74 JB BS B7 4C 65 35 S> 28 EF 

20 (40) £4 43 06 60 17 AE SD 23 F4 CE ES 70 E8 64 54 F7 

(50) 6A 22 SB AB 88 9F 26 5? 32 BI C2 BS 93 EE 5F 3? 

m AS 38 41 47 2S D6 29 O OB 06 07 §F 66 iA 68 §B 

(70) 59 CD SO BA 52 OA IE 6? 19 53 CF 30 2D 37 S\ ?C 

(80) 42 82 SO A2 95 04 BS 9E 23 8A SA % 60 90 .AS 98 

25 (90) 40 E3 49 OO Ct 3E ES IV 92 OF 33 A1 2? EH 3A ?R 

(AO m CS F2 FD 03 88 7* 90 OB 78 E7 6E 2E C4 7 a V; 

(BO) 4F AF A? 96 38 81 24 87 FF S9 86 OS 58 CC Off 3D 

(CO) 33 F3 62 9B KB OF 07 39 A6 D2 16 OO 43 63 DO EE 

(DO) 82 05 18 BE 12 01 6C A4 JF A3 8D 84 08 4E OE Fa 

30 ' CEO} il 94 C9 46 BE 14 28 36 BE EO PC DC 7D SB 72 OS 

(ED) 53 2A OS 03 2? 44 AO OA 83 79 09 FS 75 O 00 FO 
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The fixed ROM or S-box is a 2SS«byie table located on 8 
pane boundary addressed by a IS-iit register SE, 

cslmxxj i&hX b ;bc register is mm to point to key 

ADD M THE Hi RBOIETEE FOISTS TO ZWOt STYES 

MOV E 5 A ; THE SUM OF A KEY BITE AMD AM IKFOT BYTE 

1<DM 0 } ADDRESSES THE S-EOI 

MOV <■'. > ; OOTPUT BYTE EKOM S~»OX OvER?tRITES IEFOT 



The above routine is m&& m toll-mm-i 

11) Set 0 register to MSB of S-box atartiag address 

wMslj lies on a page boundary* 
(2) Initialise SC to the appropriate starting address 

in the array of fey bytes according to the 

iteretiojs a»ter m deseribed previously, 
C3:) Initialise Hb to foiut to the «~teyte array of 

input bytes, 
14} Execute routine 16 tiwM, 

The immediately preceding steps implement one iteration 
of the mixing process, Prior to the first iteration, the 
16-byte input array is initialised with mm, ESS ana the 
above -indicated selection of A-ksy or E~key bytes. 

The 16 output bytes lie in the original input byte 
array and are available for input to the next iteration. 
After performing ell five iterations with the above- 
indicated selections of key bytes, the 16 output bytes 
represent the desired output, of the algorithm, 
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CEL-MIX: U>h <X* iTBM K «S0IST8R IS- bSBD TO TO 
KSS BYTES 

ADD- f Y ; THE Y REGISTER POI.HTS YQ I YPYT 
§ BYTES 

LDA A, 0 ? i ! -ADDRESS OF S-SOX START, h-OFFSET 
FROM START 

ST& , 1* i BYTE YBOM a -BOX OVERWRITES IhROT 
BYTE 

10 

... signifies autoiae««»»ftt of indicated register alter use 
This routiaa Yss used as follows; 

(1) Set 0 register to asaress to start of S-bosa 

(2) Initialise Y register to point to appropriate key 
15 byte according to the order of me of key bytes 

des ©riJsstd pt&tfL&mXf. 
( 3 } Initialise Y register to point to the beginning of 

the 16-byte input byte array, 
(4) Saccate roo.ti.ae 16 times, 
20 The immediately preceding steps implement one iteration 

of the missing proeess .illustrated in ft®. 10, Prior to the 
first iteration, the 16-byte input array is Initialised with 
mm* ESS? and the specified selection of A~key or B-key 
bytes, as in the previous example Hence, it is only 
25 necessary to re-initialise the I register to the start of 
the input byte array and to re -initialise the X register to 
point to the appropriate hey byte for each stage before 
executing the four remaining iterations, after the fifth 
Iteration, the 16-byte input array contains the 16 output 
36 bytes from the first application of the algorithm which are 
used for authentication ana, if implemented, subscriber 
identity mas Sting. 

It should ha appreciated from, the foregoing that a 
number of concepts are implemented la the system ox rhe 
35 present invention. Juaong these conoapts is the principle 

that soma part of the authentication key (i.e., the « roiling 
key* part) should he periodically updated so that clones 
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vouia be required to track the history of the sptw 
Si lateral authentication is used on the traffic channel to 
effect a rolling key update which is linked to a call 
counter update, 

3 It may also b* seen that ejection of the 

authentication algorithm of the present invention alee 
generates a temporary conversation key or » talk- variable" 
security key (S~k*y) which may be used for enciphering » 
subsequent call or group of calls and the actual secret 

10 permanent subscriber key {h~.key) is never released by the 
home network, m addition, the algorithm of the pr«&ea± 
indention produces another output which may be need to mask 
the sailed subscriber identity* 

The foregoing description shows only certain particular 

&f e of nhe present indention. However, thesa 

skilled in the art will reoognise that smny modifications 
and variations may be made without departing substantially 
fro* the spirit, aad scope .of the present invention. 
Accordingly, it should he clearly understood that the form 

M of the iave&tion described herein i* exemplary only and is 
not intended as « limitation on the scope of the invention 
as defined in the following claims. 
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t, A sisttea for the generation of £ plwt®l±tf of 
parameters £&r **• in enhanciaf the security of 
communication in & digital cellular eenmuri ca" i ons syaren in 
3 which each .mob: 1 a station is assigned a unique mnlti -digit 

secret permanent - 5 and is *hich " pes ofiic* l? chsnc c 
auiti -digit rolling *»Y is employed for iaox»*««d security, 
'.both said remanent key a.nJ said roiling key being stored in 
each mobile station and the home network of the mobile, said 
10 method comprising; 

receiving at a location a plurality of multi^iigit 
input signals, ice lading,. a si goal repress atati ve of a 
xm&m authentication inquiry from a visited network and a 
signal representative of a particular pMl« station along 
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station and the rRulti -digit roiling key associated with said 
parti caiar mobile at that particular tim; 

arranging the digits of said input signals in a first 
grouping j 

20 calculating f&m.*&& first grouping of input signals 

and said permanent and rolling key digits a first output 
value in accordance vith a first algorithm; 

assigning sequentially arranged blocks of digits 
comprising said first output value to selected parameters 

25 for use within sale system, including,- as authentication 

response to be used by said mobile station to reply to the 
eutheuti cation inquiry by the visited network and an 
authentication signal to be used by the visited network to 
authenticate it to the motile station? 

■30 arranging toe digics of said input signals in a second 

grouping; 

calculating iron said salt second grouping of input 
signals and said permanent and roiling key digits a second 
output value in accordance with a second algorithm; sad 
35 assigning sequentially arranged blocks of digits 

comprising said second output value to selected parameters 
for use within said system, including,, a security key to be 
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used to calculating » keys t ream of ps s us o- random bits for 
aaeipfceriacf oommnni cations data within the system and a new 
rolling key to be associate with toe particular mobile at a 
next particular time. 

2. A method for the generation of a plurality of 

parameters for use in enhancing the security of 
communication in a digital cellular common! cations system as 
set forth in Claim i in which? 
10 the output parameter* for ass within said system to 

whist said sequentially arranged brooks of digits comprising 
said first output value are assigned also Its eludes a signal 
to be used to thm called number transmitted hf the 

.mobile station. 

is 

3* & method for the generation of & plurality of 
parameters for use in enhancing the security of 
communication in a digital cellular communications system as 
set forth in Claim 1 in which* said first and second 

20 algorithms comprise recursive executions of a code loop, 

4. k mtma for the- generation of a plurality of. 
paraistsrs for use is enhancing the security of 
communication in a digital cellular communications system as 
25 set forth in Claim 1 in which* said input signals and 

said hey digits are grouped into bytes end sain first and 
second algorithms comprise a mining process in which 
respective pairs of byfcw of input signals and key digits 
ere lucratively added to one another, 

30 

5.. A method for the generation of a plurality of 
parameters for use in enhancing the security of 
communication in a digital cellular communications system as 
set forth in Claim 1 in. which; said method is executed 

3 5 in the home exchange of saoh mobile station. 
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6, A method for the generation of a plurality of 
parameters for use is enhancing the security of 
communication in a digit*! cellular conmani cations system as 
set forth in Claim 4 in which: calculation in aecerdsnes 

5 with said first algorithm comprises grouping a sequence of 

bytes including said input signals and said rolling key 
digits and than mixing respective bytes thereof with bytes 
of said permanent key arranged in a first order by adding. 

0 ?. & method for the generation of a plurality of 

parameters for use in enhancing the security of 
communication in a digital cellular. complications system as 
set forth in Claim 6 in wMcfe calculation in accordance 

with said second algorithm comprises grouping a aeguunce of 
15 bytes including said input signals and said roiling kay 

digits and then mixing rsspectivs bytes thereof with bytes 
of said permanent key arranged in a second order, different 
frosn said first order, by adding, 

20 S> A -method for the generation of a plurality of 

parameters for use in enhancing the security of 
communication in a digital cellular conmnni cations system as 
set forth in Claim 4 in which; the value obtained from 

each addition is used tc obtain a raxx&©& number from a fixed 

25 look-up table having a U I mapping between its input and its 
output. 

9, A method for the generation of a plurality of 
par esse tars for use in enhancing the security of 
30 OJ c itai cellular commits c /stem as 

set forth in Claim 4 in which: said fixed look-up table 

is also used to obtain random numbers for use in sa 
I fioj jenarat - - nsuedo random keystrea for 
enciphering communicatiens data wlthing said system, 

35 

10 sys-cejs ioz i generating & g ra of 

parameters for use in enhancing the security of 
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communication in a digital cellular commend cations system in 
which each mobile station is assigned » unique meiti -digit 
secret pstfianent key and in which a periodically chancre 
stuiti -digit rolling key is employed fox iner®as*a security, 
both said permanent key and said rolling key being stored in 
each mobile station and the horn® network of the mobile, said 



means for receiving at a location e plurality of mat- 
digit input sisals, including, a signal representative of a 
random authentication inquiry from a visited network, and a 
signal representative of a particular mobile station along 
with the stsuiti -digit perM&asst. key of said particular ssoMle 
station, and the multi ~di.git rolling key associated with 
said particular mobile at that particular tiftt; 

means for arranging the digits of a aid inner signals in 
a first grouping,} 

means for calculating from a aid first grouping of input 
signals and said permanent and rolling key digits a first 
Output value in accordance with a first algorithm 

means for assigning sequentially arranged blocks of 
digits? comprising said first output value to selected 
parameters for use within aaid system, including, an 
authenti cation response to be used by said mobile station to 
reply to the authentication inquiry fey the visited network 
and an authentication signal to be used by the visited 
network to authenticate it to the mobile station? 

means for arranging the digits of aaid input signals in 



moans for calculating from aaid second grouping of 
input signals and said permanent and rolling key digits a 
second output value in accordance with a second algorithm 
and 

means for assigning sequentially arranged blocks of 
digits comprising said second output value to selected 
parameters for use within said system, including, a security 
key to be used to calculating a keystreae of pseuso-random 
bits for enciphering communications data within the system 
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and a naw rolling key to fce associated wi eft the particular 
mobile at a next particular, time, 

U- A system for generating a plurality of parameters 
for use in enhancing the security of communication in a 
digital cellular eo»uni««ti^ system as cot forth in Claim 
1.0 in which: 

the output parameters for use within said systen to 
^ , , ~ > ^ b o . o* dm , oorp -i»q 
said first output value are assigned also includes a signal 
to be used to km* the called »u»ber transmitted by the 



12, & system for the generating a plurality of 
parameters for use in esthaacia* the security of 
communication in a digital cellular communications system as 
set forth in Claim 10 in whish? 

said first and second algorithm comprise recursive 
executions of a oo&® loops. 
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1$. A system for generating a plurality of 
for use in e&hancinf the security of communication in a 
digital cellular communications system as net forth in Claim 
10 in which: 

as said input wivmls and said key digits are grouped into 

bytes and said first and second algorithms comprise « mixing 
process in which respective pairs of bytes of input signals 
end key digits are iterative!* added to one another. 

30 14, A system for generating a plurality of parameters 

for use in enhancing the security of communication in a 
digital cellular communications system as sat forth in Claim 
i0 which also includes ; 

means for implementtug said, ays ten in the home exchange 

35 of each mobile station. 



W0 92/0208? 



55 

15, & system for ^ensrating a plurality of parameters 
for us® la enhancing t&e security of communication in « 
digital cellular eo»«u«dLoaUo3&8 system as set forth ia Claisa 
13 in which; 

saia means for calculation la accordance with saio 
first algorithm vmpx&m* a*ea**» for grouping a sequence of 
bytes inclum.net said input signals *»a said roiling key 
digits and than mising respective bytes thereof with bytes 
of said permansnt &ey aranged in a first order by adding. 

IS. A system for §*»#r*tiitg a plurality of parameters 
for us® in enhancing the security of communication in a 
digital cellular communications system as set forth in claim 
*5 in which? 

said means for calculation in accordance with ssid 
second algorithm comprises mmm for grouping a sequence of 
bytes including said i$pit #ifa^Is and said rolling key 
digits and then sailing xmp*<*Wm h%tm tharaof with bytes 
of said permanent &#y araogad in a second order, different 
from said first order, by adding, 

17. & system for generating a plurality of parameters 
for use in enhancing the security of communication in a 
digital caliular communications system as set forth in Claim 
13 in which; the value obtained from each addition is uaed 
to obtain a random number from a fixed look-up table having 
a lx J mapping heroes n its input and its output. 

IS, A system for generating a plurality of parameters 
for use in enhancing the security of communication in s 
digital celluiar communications system as set forth in claim 
17 in eh; said fi.xec look-up table is also used to 
obtain random numbers for use is an algorithm for generating 
a psu ado-random keys t ream for enciphering communications 
data vi thing said system. 
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